Login
- Table of Contents
-
- 08-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-User profile commands
- 07-Password control commands
- 08-Keychain commands
- 09-Public key management commands
- 10-PKI commands
- 11-IPsec commands
- 12-SSH commands
- 13-SSL commands
- 14-Attack detection and prevention commands
- 15-TCP attack prevention commands
- 16-IP source guard commands
- 17-ARP attack protection commands
- 18-ND attack defense commands
- 19-MFF commands
- 20-Crypto engine commands
- 21-FIPS commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-ND attack defense commands | 50.70 KB |
Contents
Source MAC consistency check commands
display ipv6 nd detection statistics
reset ipv6 nd detection statistics
ND attack defense commands
Source MAC consistency check commands
ipv6 nd check log enable
Use ipv6 nd check log enable to enable the ND logging feature.
Use undo ipv6 nd check log enable to restore the default.
Syntax
ipv6 nd check log enable
undo ipv6 nd check log enable
Default
The ND logging feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The ND logging feature logs source MAC inconsistency events, and sends the log messages to the information center. The information center can then output log messages from different source modules to different destinations. For more information about the information center, see Network Management and Monitoring Configuration Guide.
As a best practice, disable the ND logging feature to avoid excessive ND logs.
Examples
# Enable the ND logging feature.
<Sysname> system-view
[Sysname] ipv6 nd check log enable
Related commands
ipv6 nd mac-check enable
ipv6 nd mac-check enable
Use ipv6 nd mac-check enable to enable source MAC consistency check for ND messages.
Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND messages.
Syntax
ipv6 nd mac-check enable
undo ipv6 nd mac-check enable
Default
Source MAC consistency check for ND messages is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command to enable source MAC consistency check on a gateway. The gateway checks the source MAC address and the source link-layer address for consistency for each ND message. If an inconsistency is found, the gateway drops the ND message.
Examples
# Enable source MAC consistency check for ND messages.
<Sysname> system-view
[Sysname] ipv6 nd mac-check enable
ND attack detection commands
display ipv6 nd detection statistics
Use display ipv6 nd detection statistics to display statistics for ND messages dropped by ND attack detection.
Syntax
display ipv6 nd detection statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays statistics for ND messages dropped by ND attack detection on all interfaces.
Examples
# Display statistics for all ND messages dropped by ND attack detection.
<Sysname> display ipv6 nd detection statistics
ND packets dropped by ND detection:
Interface Packets dropped
XGE1/0/1 78
XGE1/0/2 0
XGE1/0/3 0
XGE1/0/4 0
Table 1 Command output
|
Field |
Description |
|
Interface |
Input interface of the ND messages. |
|
Packets dropped |
Number of ND messages dropped by ND attack detection. |
ipv6 nd detection enable
Use ipv6 nd detection enable to enable ND attack detection. This feature checks the ND message validity.
Use undo ipv6 nd detection enable to disable ND attack detection.
Syntax
ipv6 nd detection enable
undo ipv6 nd detection enable
Default
ND attack detection is disabled.
Views
VLAN view
Predefined user roles
network-admin
Examples
# Enable ND attack detection for VLAN 10.
<Sysname> system-view
[Sysname] vlan 10
[Sysname-vlan10] ipv6 nd detection enable
ipv6 nd detection trust
Use ipv6 nd detection trust to configure an interface as an ND trusted interface.
Use undo ipv6 nd detection trust to restore the default.
Syntax
ipv6 nd detection trust
undo ipv6 nd detection trust
Default
All interfaces are ND untrusted interfaces.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Examples
# Configure Ten-GigabitEthernet 1/0/1 as an ND trusted interface.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] ipv6 nd detection trust
# Configure Bridge-Aggregation 1 as an ND trusted interface.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] ipv6 nd detection trust
reset ipv6 nd detection statistics
Use reset ipv6 nd detection statistics to clear ND attack detection statistics.
Syntax
reset ipv6 nd detection statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears ND attack detection statistics for all interfaces.
Examples
# Clear all ND attack detection statistics.
